|
47 | 47 |
|
48 | 48 |
|
49 | 49 | import com.cloud.hypervisor.HypervisorGuru; |
| 50 | +import com.cloud.user.AccountManagerImpl; |
50 | 51 | import com.cloud.utils.crypt.DBEncryptionUtil; |
51 | 52 | import com.cloud.host.HostTagVO; |
52 | 53 | import com.cloud.storage.StoragePoolTagVO; |
53 | 54 | import com.cloud.storage.VolumeApiServiceImpl; |
54 | 55 | import com.googlecode.ipv6.IPv6Address; |
| 56 | +import org.apache.cloudstack.acl.RoleType; |
55 | 57 | import org.apache.cloudstack.acl.SecurityChecker; |
56 | 58 | import org.apache.cloudstack.affinity.AffinityGroup; |
57 | 59 | import org.apache.cloudstack.affinity.AffinityGroupService; |
@@ -470,6 +472,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati |
470 | 472 | private long _defaultPageSize = Long.parseLong(Config.DefaultPageSize.getDefaultValue()); |
471 | 473 | private static final String DOMAIN_NAME_PATTERN = "^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+[A-Za-z]{1,63}$"; |
472 | 474 | private Set<String> configValuesForValidation = new HashSet<String>(); |
| 475 | + private Set<String> configKeysAllowedOnlyForDefaultAdmin = new HashSet<String>(); |
473 | 476 | private Set<String> weightBasedParametersForValidation = new HashSet<String>(); |
474 | 477 | private Set<String> overprovisioningFactorsForValidation = new HashSet<String>(); |
475 | 478 |
|
@@ -533,6 +536,7 @@ public boolean configure(final String name, final Map<String, Object> params) th |
533 | 536 | populateConfigValuesForValidationSet(); |
534 | 537 | weightBasedParametersForValidation(); |
535 | 538 | overProvisioningFactorsForValidation(); |
| 539 | + populateConfigKeysAllowedOnlyForDefaultAdmin(); |
536 | 540 | initMessageBusListener(); |
537 | 541 | return true; |
538 | 542 | } |
@@ -596,6 +600,11 @@ private void overProvisioningFactorsForValidation() { |
596 | 600 | overprovisioningFactorsForValidation.add(CapacityManager.StorageOverprovisioningFactor.key()); |
597 | 601 | } |
598 | 602 |
|
| 603 | + protected void populateConfigKeysAllowedOnlyForDefaultAdmin() { |
| 604 | + configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key()); |
| 605 | + configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.allowOperationsOnUsersInSameAccount.key()); |
| 606 | + } |
| 607 | + |
599 | 608 | private void initMessageBusListener() { |
600 | 609 | messageBus.subscribe(EventTypes.EVENT_CONFIGURATION_VALUE_EDIT, new MessageSubscriber() { |
601 | 610 | @Override |
@@ -1183,6 +1192,7 @@ protected String validateConfigurationValue(final String name, String value, fin |
1183 | 1192 | s_logger.error("Missing configuration variable " + name + " in configuration table"); |
1184 | 1193 | return "Invalid configuration variable."; |
1185 | 1194 | } |
| 1195 | + validateConfigurationAllowedOnlyForDefaultAdmin(name, value); |
1186 | 1196 |
|
1187 | 1197 | final String configScope = cfg.getScope(); |
1188 | 1198 | if (scope != null) { |
@@ -1347,6 +1357,33 @@ protected String validateConfigurationValue(final String name, String value, fin |
1347 | 1357 | return String.format("Invalid value for configuration [%s].", name); |
1348 | 1358 | } |
1349 | 1359 |
|
| 1360 | + protected void validateConfigurationAllowedOnlyForDefaultAdmin(String configName, String value) { |
| 1361 | + if (configKeysAllowedOnlyForDefaultAdmin.contains(configName)) { |
| 1362 | + final Long userId = CallContext.current().getCallingUserId(); |
| 1363 | + if (userId != User.UID_ADMIN) { |
| 1364 | + throw new CloudRuntimeException("Only default admin is allowed to change this setting"); |
| 1365 | + } |
| 1366 | + |
| 1367 | + if (AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key().equals(configName)) { |
| 1368 | + if (value != null && !value.isBlank()) { |
| 1369 | + List<String> validRoleTypes = Arrays.stream(RoleType.values()) |
| 1370 | + .map(Enum::name) |
| 1371 | + .collect(Collectors.toList()); |
| 1372 | + |
| 1373 | + boolean allValid = Arrays.stream(value.split(",")) |
| 1374 | + .map(String::trim) |
| 1375 | + .allMatch(validRoleTypes::contains); |
| 1376 | + |
| 1377 | + if (!allValid) { |
| 1378 | + throw new CloudRuntimeException("Invalid role types provided in value"); |
| 1379 | + } |
| 1380 | + } else { |
| 1381 | + throw new CloudRuntimeException("Value for role types must not be empty"); |
| 1382 | + } |
| 1383 | + } |
| 1384 | + } |
| 1385 | + } |
| 1386 | + |
1350 | 1387 | /** |
1351 | 1388 | * A valid value should be an integer between min and max (the values from the range). |
1352 | 1389 | */ |
|
0 commit comments